|
1121
|
8.0 |
HIGH
Network
|
-
|
-
|
Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{provide…
New
|
CWE-862
Missing Authorization
|
CVE-2026-43639
|
2026-05-12 03:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1122
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via `POST /ciphers/import-organiz…
New
|
CWE-862
Missing Authorization
|
CVE-2026-43638
|
2026-05-12 03:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1123
|
- |
|
-
|
-
|
Inbox Zero is an AI personal assistant for email. Prior to 2.29.3, the cleaner email stream endpoint used a shared Redis subscription listener, which could deliver thread events for one authenticated…
New
|
CWE-200
Information Exposure
|
CVE-2026-42865
|
2026-05-12 03:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1124
|
- |
|
-
|
-
|
Neat VNC is a VNC server library. Prior to 0.9.6, a pre-authentication stack buffer overflow exists in neatvnc in the RSA-AES security type handler. An unauthenticated remote attacker who can reach t…
New
|
CWE-120
Classic Buffer Overflow
|
CVE-2026-42859
|
2026-05-12 03:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1125
|
- |
|
-
|
-
|
Network-AI is a TypeScript/Node.js multi-agent orchestrator. Prior to 5.1.3, the MCP HTTP transport accepts JSON-RPC tools/call requests with no authentication, session, origin, or token check, and d…
New
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-42856
|
2026-05-12 03:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1126
|
8.8 |
HIGH
Network
|
-
|
-
|
OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Prior to 2.1.2, .github/workflows/pre-commit-fix.yaml uses pull_request_ta…
New
|
CWE-94
CWE-95
Code Injection
Eval Injection
|
CVE-2026-42603
|
2026-05-12 03:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1127
|
9.1 |
CRITICAL
Network
|
-
|
-
|
auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the …
Update
|
CWE-287
Improper Authentication
|
CVE-2026-42560
|
2026-05-12 03:16 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1128
|
6.5 |
MEDIUM
Network
|
-
|
-
|
kafka-sink-azure-kusto Kafka Connect plugin is the official Microsoft sink for Azure Data Explorer (Kusto). Prior to 5.2.3, kafka-sink-azure-kusto did not sanitize user-controlled values inside the k…
New
|
CWE-943
Improper Neutralization of Special Elements in Data Query Logic
|
CVE-2026-42316
|
2026-05-12 03:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1129
|
8.1 |
HIGH
Network
|
-
|
-
|
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_…
New
|
CWE-22
CWE-36
Path Traversal
Absolute Path Traversal
|
CVE-2026-42315
|
2026-05-12 03:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1130
|
6.5 |
MEDIUM
Network
|
-
|
-
|
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ …
New
|
CWE-22
Path Traversal
|
CVE-2026-42314
|
2026-05-12 03:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
